Generate Certs for Mutation/Validatiion Webhooks

- Add the ability to generate tls cert from helm for webhooks.
- By default it's on but you can pass your own certificates.
- Target gen-install  use our default certificate to stay idempotent
- certificates are passed by kubernetes secrets.
- Remove certs from controller container (Dockerfile)
- Add a target to remove gcloud deployment, usefull to reset
- Update helm chart documentation
- Generate new install.yaml
- update installation documentation

build/Makefile

@@ -170,7 +170,9 @@ push-agones-sdk-image: ensure-build-image
 # Generate the static install script
 gen-install: ensure-build-image
 	docker run --rm $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) bash -c \
-		'helm template --name=agones-manual $(mount_path)/install/helm/agones > $(mount_path)/install/yaml/install.yaml'
+		'helm template --name=agones-manual $(mount_path)/install/helm/agones \
+		--set agones.controller.generateTLS=false \
+		> $(mount_path)/install/yaml/install.yaml'
 
 # Generate the SDK gRPC server and client code
 gen-gameservers-sdk-grpc: ensure-build-image
@@ -271,6 +273,10 @@ gcloud-test-cluster: ensure-build-image
 	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) kubectl apply -f $(mount_path)/build/helm.yaml
 	docker run --rm $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) helm init --service-account helm
 
+clean-gcloud-test-cluster: ensure-build-image
+	docker run --rm -it $(common_mounts) $(DOCKER_RUN_ARGS) $(build_tag) gcloud \
+		deployment-manager deployments delete test-cluster
+
 # Pulls down authentication information for kubectl against a cluster, name can be specified through CLUSTER_NAME
 # (defaults to 'test-cluster')
 gcloud-auth-cluster: ensure-build-image

cmd/controller/Dockerfile

@@ -3,7 +3,6 @@ FROM alpine:3.7
 RUN apk --update add ca-certificates && \
     adduser -D agones
 
-COPY ./certs /home/agones/certs
 COPY ./bin/controller /home/agones/controller
 
 RUN chown -R agones /home/agones && \

docs/installing_agones.md

@@ -193,6 +193,10 @@ We can install Agones to the cluster using the
 kubectl apply -f https://raw.githubusercontent.com/googlecloudplatform/agones/release-0.1/install.yaml
 ```
 
+> Note: Installing Agones with the `intall.yaml` will setup the TLS certificates stored in this repository for securing 
+> kubernetes webhooks communication. If you want to generates new certificates or use your own,
+> we recommend using the helm installation.
+
 ## Install using Helm
 
 Also, we can install Agones using [Helm][helm] package manager. If you want more details and configuration

install/helm/README.md

@@ -78,6 +78,7 @@ The following tables lists the configurable parameters of the Agones chart and t
 | `agones.controller.healthCheck.failureThreshold`       | Number of times before giving up (in seconds)                   | `3`                        |
 | `agones.controller.healthCheck.timeoutSeconds`         | Number of seconds after which the probe times out (in seconds)  | `1`                        |
 | `agones.controller.resources`  | Controller resource requests/limit | `{}`
+| `agones.controller.generateTLS`  | Set to true to generate TLS certificates or false to provide your own certificates in `certs/*` | `true`
 | `gameservers.namespaces`                         | a list of namespaces you are planning to use to deploy game servers | `["defaut"]` |
 | `gameservers.minPort`                            | Minimum port to use for dynamic port allocation                 | `7000`                     |
 | `gameservers.maxPort`                            | Maximum port to use for dynamic port allocation                 | `8000`                     |

install/helm/agones/templates/admissionregistration.yaml

@@ -0,0 +1,112 @@
+# Copyright 2018 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- $ca := genCA "admission-controller-ca" 3650 }}
+{{- $cn := printf "agones-controller-service" }}
+{{- $altName1 := printf "agones-controller-service.%s"  .Values.agones.namespace }}
+{{- $altName2 := printf "agones-controller-service.%s.svc" .Values.agones.namespace }}
+{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: agones-validation-webhook
+  namespace: {{ .Values.agones.namespace }}
+webhooks:
+  - name: validations.stable.agones.dev
+    failurePolicy: Fail
+    clientConfig:
+      service:
+        name: agones-controller-service
+        namespace: {{ .Values.agones.namespace }}
+        path: /validate
+{{- if .Values.agones.controller.generateTLS }}
+      caBundle: {{ b64enc $ca.Cert }}
+{{- else }}
+      caBundle: {{ .Files.Get "certs/server.crt" | b64enc }}
+{{- end }}
+    rules:
+      - apiGroups:
+          - stable.agones.dev
+        resources:
+          - "gameservers"
+          - "fleetallocations"
+        apiVersions:
+          - "v1alpha1"
+        operations:
+          - CREATE
+      - apiGroups:
+          - stable.agones.dev
+        resources:
+          - "gameserversets"
+          - "fleetallocations"
+        apiVersions:
+          - "v1alpha1"
+        operations:
+          - UPDATE
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: agones-mutation-webhook
+  namespace: {{ .Values.agones.namespace }}
+  labels:
+    component: controller
+    app: {{ template "agones.name" . }}
+    chart: {{ template "agones.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+webhooks:
+  - name: mutations.stable.agones.dev
+    failurePolicy: Fail
+    clientConfig:
+      service:
+        name: agones-controller-service
+        namespace: {{ .Values.agones.namespace }}
+        path: /mutate
+{{- if .Values.agones.controller.generateTLS }}
+      caBundle: {{ b64enc $ca.Cert }}
+{{- else }}
+      caBundle: {{ .Files.Get "certs/server.crt" | b64enc }}
+{{- end }}
+    rules:
+      - apiGroups:
+          - stable.agones.dev
+        resources:
+          - "gameservers"
+          - "fleets"
+          - "fleetallocations"
+        apiVersions:
+          - "v1alpha1"
+        operations:
+          - CREATE
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "agones.fullname" . }}-cert
+  namespace: {{ .Values.agones.namespace }}
+  labels:
+    app: {{ template "agones.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+{{- if .Values.agones.controller.generateTLS }}
+  server.crt: {{ b64enc $cert.Cert }}
+  server.key: {{ b64enc $cert.Key }}
+{{- else }}
+  server.crt: {{ .Files.Get "certs/server.crt" | b64enc }}
+  server.key: {{ .Files.Get "certs/server.key" | b64enc }}
+{{- end }}

install/helm/agones/templates/controller.yaml

@@ -64,3 +64,11 @@ spec:
         resources:
 {{ toYaml .Values.agones.controller.resources | indent 10 }}
 {{- end }}
+        volumeMounts:
+        - name: certs
+          mountPath: /home/agones/certs
+          readOnly: true
+      volumes:
+      - name: certs
+        secret:
+          secretName: {{ template "agones.fullname" . }}-cert

install/helm/agones/values.yaml

@@ -21,6 +21,7 @@ agones:
     sdk: agones-sdk
   controller:
     resources: {}
+    generateTLS: true
     healthCheck:
       http:
         port: 8080